cleantalk
Vulnerabilities and Security Researches

BJ Lazy Load, CVE-2026-2300

CVE, Research URL

CVE-2026-2300

Home page URL

Security reports for BJ Lazy Load

Application

BJ Lazy Load

Published on
May 12, 2026
Research Description
The BJ Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `filter_images()` function in all versions up to, and including, 1.0.9. This is due to the use of regex-based HTML processing (`preg_replace`) that does not properly handle HTML attribute boundaries when replacing `src` attributes, allowing crafted content inside a `class` attribute value to be promoted to real DOM attributes after processing. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 1.0.9.
Status
vulnerable
Previous vulnerability researches
WP Data Access (CVE-2025-39582) , Apr 18, 2025
WP Data Access (CVE-2024-43295) , Aug 20, 2024
WP Data Access (CVE-2021-24866) , Jun 07, 2024
WP Data Access (CVE-2023-1874) , Jun 07, 2024
WP Data Access (CVE-2026-0557) , Apr 15, 2026
New vulnerability
bunny.net – WordPress CDN Plugin (CVE-2025-68049) , May 13, 2026
BJ Lazy Load (CVE-2026-2300) , May 13, 2026
WordPress Survey & Poll – Quiz, Survey and Poll Plugin for WordPress (CVE-2021-47941) , May 13, 2026
WP SEO Structured Data Schema (CVE-2026-3604) , May 13, 2026
WP Data Access (CVE-2026-42665) , May 13, 2026